Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Verify TCP reset is actually working

How do I see if the TCP reset is working,

I have IDM, IEV, IDS MC, and for some reason I cannot locate the information

Thanks in advance

2 REPLIES

Re: Verify TCP reset is actually working

Hi,

Beside logging direct to IDM or using IDS MC, you may use IEV to view the tcp reset action taken by the IDS.

1. Launch your IEV

2. Under 'View', double-click the "Sig Name Group".

2. Right-click the log associated to the signature you've selected, for example "TCP Segment Overwrite" (SID 1300)

I assumed you have already set the "EventAction" under your selected signature (tcp-based) to include 'reset'.

3. Back to IEV, right-click the signature log and choose 'Expand Whole Details'. A window will popup with details on the attack log.

4. Right-click this event, and choose 'View Alarms'.

5. Scroll to the right, and look under 'TCP Reset Sent'. If the stated value is 'true', the IDS has performed the tcp reset to the attack event.

Cheers!

AK

New Member

Re: Verify TCP reset is actually working

Thanks for the information, very helpful

120
Views
5
Helpful
2
Replies
CreatePlease login to create content